Skip to content
Tech News
← Back to articles

A Glimpse into the “Search Your Target” Market for Stolen Credentials

2026-06-22 | original
read original more articles
Why This Matters

The emergence of searchable underground credential services signifies a shift in cybercriminal tactics, enabling more targeted and efficient account compromises. This development increases the sophistication of cyber threats, making it more challenging for organizations and consumers to defend against credential-based attacks.

Key Takeaways

Threat actors are increasingly turning massive infostealer-derived credential collections into searchable underground services, allowing buyers to request credentials for a specific company, platform, domain, geography, or account type.

Flare researchers analyzed 470 underground forum posts published between January 2025 and June 2026, across different sources, related to actors offering to search for and extract stolen credentials from their databases. The dataset included advertisements, reposts, buyer feedback, pricing references, and disputes around quality and validity.

The findings show a dedicated service layer sitting between infostealer infections, raw logs trading and account takeover activity. The profile of the threat actors who offer these services is divided between the Malware-as-a-Service (MaaS) providers and the MaaS consumers.

In many cases, they function as credential brokers or data processors, monetizing the vast number of logs and their ability to search, filter, format, and deliver targeted results from large stolen credential collections.

Key Points

Analysis of 470 underground posts illustrates a pinpointed service that offers targeted extraction, filtering, deduplication, formatting, and freshness, from large infostealers databases containing tens of billions of lines. It is functioning as an alternative to combo lists, where instead of purchasing a bulk dump, buyers query a seller's existing data and receive only the results that match their target.

The market overlaps with the Initial Access Broker (IAB) ecosystem, but is not identical to it, when the common output formats included URL:LOGIN:PASS, MAIL:PASS, LOGIN:PASS, PHONE:PASS, MAIL:PHONE, and MAIL:LOGIN.

Interestingly buyer feedback showed there’s a gap between what is advertised and the actual results in terms of in reality the volume is lower, the credentials are often invalid, duplicated and generally usable.

How Does the “Search Your Target” Service Work

The “search your target” market sits in the middle of the account takeover chain.

... continue reading

Explore topics: infostealer malware-as-a-service credential brokers underground forums stolen credentials
Related:
Why Account Takeovers Are Rising and How to Stop Them
Over 116,000 Mincraft systems infected in WeedHack malware campaign
Over 116,000 Minecraft systems infected in WeedHack malware campaign
BTMOB Android malware service generates custom phishing payloads
Hackers exploit FortiClient EMS flaw to push infostealer malware

© 2026 GoKawiil

About | Editorial Policy | Contact